CVE-2026-22665: CWE-178 Improper Handling of Case Sensitivity in prompts.chat
prompts.chat prior to commit 1464475 contains an identity confusion vulnerability due to inconsistent case-sensitive and case-insensitive handling of usernames across write and read paths, allowing attackers to create case-variant usernames that bypass uniqueness checks. Attackers can exploit non-deterministic username resolution to impersonate victim accounts, replace profile content on canonical URLs, and inject attacker-controlled metadata and content across the platform.
AI Analysis
Technical Summary
CVE-2026-22665 describes a CWE-178 vulnerability in prompts.chat where inconsistent handling of case sensitivity in username processing leads to identity confusion. Specifically, the system treats usernames case-sensitively during write operations but case-insensitively during read operations, allowing attackers to register usernames that differ only by case and bypass uniqueness checks. This non-deterministic username resolution enables attackers to impersonate legitimate users, overwrite profile content on canonical URLs, and inject malicious metadata and content platform-wide. The vulnerability affects all versions prior to commit 1464475. The CVSS 4.0 base score is 8.6, reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality and integrity.
Potential Impact
Successful exploitation allows attackers to impersonate other users by registering case-variant usernames, potentially leading to unauthorized access to user profiles and content. Attackers can replace legitimate profile content on canonical URLs and inject attacker-controlled metadata and content, undermining platform integrity and user trust. This can facilitate further attacks such as social engineering or misinformation. There is no indication of availability impact or known active exploitation.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or remediation level is provided, users and administrators should monitor vendor communications for updates. Until a fix is available, consider restricting username registration policies to enforce consistent case handling or implement manual review processes to detect suspicious case-variant usernames.
CVE-2026-22665: CWE-178 Improper Handling of Case Sensitivity in prompts.chat
Description
prompts.chat prior to commit 1464475 contains an identity confusion vulnerability due to inconsistent case-sensitive and case-insensitive handling of usernames across write and read paths, allowing attackers to create case-variant usernames that bypass uniqueness checks. Attackers can exploit non-deterministic username resolution to impersonate victim accounts, replace profile content on canonical URLs, and inject attacker-controlled metadata and content across the platform.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-22665 describes a CWE-178 vulnerability in prompts.chat where inconsistent handling of case sensitivity in username processing leads to identity confusion. Specifically, the system treats usernames case-sensitively during write operations but case-insensitively during read operations, allowing attackers to register usernames that differ only by case and bypass uniqueness checks. This non-deterministic username resolution enables attackers to impersonate legitimate users, overwrite profile content on canonical URLs, and inject malicious metadata and content platform-wide. The vulnerability affects all versions prior to commit 1464475. The CVSS 4.0 base score is 8.6, reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality and integrity.
Potential Impact
Successful exploitation allows attackers to impersonate other users by registering case-variant usernames, potentially leading to unauthorized access to user profiles and content. Attackers can replace legitimate profile content on canonical URLs and inject attacker-controlled metadata and content, undermining platform integrity and user trust. This can facilitate further attacks such as social engineering or misinformation. There is no indication of availability impact or known active exploitation.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or remediation level is provided, users and administrators should monitor vendor communications for updates. Until a fix is available, consider restricting username registration policies to enforce consistent case handling or implement manual review processes to detect suspicious case-variant usernames.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-01-08T19:04:26.364Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d026ec0a160ebd92593012
Added to database: 4/3/2026, 8:45:32 PM
Last enriched: 4/11/2026, 9:22:15 AM
Last updated: 5/20/2026, 9:42:22 PM
Views: 77
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.